CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
15.5%
Since ydb-go-sdk/v3.48.6 if you use a custom credentials object (implementation of interface Credentials) it may leak into logs. This happens because this object could be serialized into an error message using fmt.Errorf("something went wrong (credentials: %q)", credentials)
during connection to the YDB server. Printf func use placeholder %q
for string representation of argument with quotes. If an argument implements interface fmt.Stringer
, it will used through String()
func. In other cases used fallback - serialization with reflection.
If such logging occurred, a malicious user with access to logs could read sensitive information (i.e. credentials) information and use it to get access to the database.
Who is impacted: applications with custom credentials object with an explicit token field.
A leak could have occurred if all of these conditions were met simultaneously:
fmt.Stringer
interface (does not have a String()
method) - potentially these are custom credentials. Official credentials have a String()
method.ydb.Open(...)
.ydb-go-sdk
does not log such errors by default).ydb-go-sdk
contains this problem in versions from v3.48.6 to v3.53.2. The fix for this problem has been released in version v3.53.3 (PR).
Implement the fmt.Stringer
interface in your custom credentials type with explicit stringify of object state.
Vendor | Product | Version | CPE |
---|---|---|---|
ydb-platform | ydb-go-sdk | * | cpe:2.3:a:ydb-platform:ydb-go-sdk:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-q24m-6h38-5xj8
github.com/ydb-platform/ydb-go-sdk/blob/master/credentials/credentials.go#L10
github.com/ydb-platform/ydb-go-sdk/blob/v3.48.6/internal/balancer/balancer.go#L71
github.com/ydb-platform/ydb-go-sdk/commit/a0d92057c4e1bbdc5e85ae8d649edb0232b8fd4c
github.com/ydb-platform/ydb-go-sdk/pull/859
github.com/ydb-platform/ydb-go-sdk/security/advisories/GHSA-q24m-6h38-5xj8
nvd.nist.gov/vuln/detail/CVE-2023-45825